Skip to content

Do Fourth-Party Vendors Need VRAs?

When assessing Software as a Service vendors, the vendor risk assessment process doesn't end with the primary SaaS vendor you sign up with.
 
Many SaaS vendors offer useful integrations with other apps. On average, SaaS providers have 60 such integrations. As a result, the average small business uses 253 apps, according to studies by Productiv in 2021 and 2023.
 
That creates potential "hidden" risks that require more diligence on the "fourth-party vendors" your primary SaaS vendors integrate with.
 
While this may not seem that threatening since your SaaS vendor will remain your primary vendor and you'd expect it to  only work with reliable vendors, too, you will still be vulnerable to any risks at the fourth-party vendors.
 
From data breaches to Internet or power outages to natural or man-made disasters at the fourth-party vendors, your business could be disrupted depending on which of your primary SaaS services rely on those fourth parties.
 
The difference is these dozens to hundreds of fourth-party vendors could be invisible to you unless you take some time to un-earth them and learn what part of your service and data they control and can access.
 
Obviously, that's a huge jump in risk assessments from my usual recommendation to whittle your list of finalists for your SaaS project to a mere 3. So, how do you manage that? 
 
To start, ask your SaaS provider candidates for a list of its critical vendors, meaning any vendor that could have an impact on your operations and / or have access to your data.
 
You can also ask your third-party vendor for its SOC and SSAE 18 reports. These reports will list the vendors your SaaS provider works with. 
 
If you feel that problems at a fourth-party vendor could adversely impact your business, you can then delve further to ensure they have taken precautions to avoid downtime and recover quickly if something does happen.
 
The three key considerations to determine if a fourth-party vendor should be classified as critical:
  1. An outage at the fourth-party vendor would bring down your operations too
  2. A security breach at the fourth-party vendor would affect your security, particularly if it has access to your data
  3. A disaster at the fourth-party vendor would bring a halt to your business for an extended period of time
For help determining which fourth-party vendors should be deemed critical, contact me at 302-537-4198, ericm@edminfopro.com or on our Contact form.

You can also request an online meeting.